CVE-2026-33241

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33241

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33241.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33241

Aliases

GHSA-pp9r-xg4c-8j4x

Published

2026-03-23T23:41:50.533Z

Modified

2026-04-10T05:42:40.171239Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

Details

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (form_data() method and Extractible macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.

Database specific

{
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33241.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/salvo-rs/salvo

Affected ranges

Type

GIT

Repo

https://github.com/salvo-rs/salvo

Events

Introduced

Fixed

f8fb007c4c765dd0a4961f81846e6f27629dcd28

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.89.3"
        }
    ]
}

Affected versions

v0.*

v0.18.3

v0.18.4

v0.19.0

v0.19.1

v0.20.0

v0.21.0

v0.21.1

v0.21.2

v0.21.3

v0.21.4

v0.21.5

v0.21.7

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.23.1

v0.23.2

v0.23.3

v0.24.0

v0.24.1

v0.24.2

v0.24.4

v0.25.0

v0.25.1

v0.26.0

v0.26.1

v0.27.0

v0.28.1

v0.28.2

v0.29.0

v0.29.1

v0.30.0

v0.31.0

v0.31.1

v0.32.0

v0.33.1

v0.33.2

v0.34.2

v0.34.3

v0.35.1

v0.35.2

v0.36.0

v0.37.0

v0.37.1

v0.37.2

v0.41.1

v0.42.0

v0.42.1

v0.43.0

v0.44.0

v0.44.1

v0.45.0

v0.46.0

v0.47.0

v0.48.0

v0.48.1

v0.48.2

v0.49.0

v0.49.1

v0.50.1

v0.50.2

v0.50.3

v0.50.4

v0.50.5

v0.51.0

v0.52.0

v0.52.1

v0.53.0

v0.54.0

v0.54.1

v0.54.3

v0.55.0

v0.55.1

v0.55.2

v0.55.3

v0.55.4

v0.55.5

v0.56.0

v0.57.0

v0.58.0

v0.58.1

v0.58.2

v0.58.3

v0.58.4

v0.58.5

v0.59.0

v0.59.1

v0.60.0

v0.61.0

v0.63.0

v0.63.1

v0.64.0

v0.64.1

v0.64.2

v0.65.0

v0.65.1

v0.65.2

v0.66.1

v0.66.2

v0.67.0

v0.67.1

v0.67.2

v0.68.0

v0.68.1

v0.68.2

v0.68.3

v0.68.4

v0.68.5

v0.69.0

v0.70.0

v0.71.0

v0.71.1

v0.72.0

v0.72.1

v0.72.2

v0.72.3

v0.72.4

v0.73.0

v0.74.0

v0.74.1

v0.74.2

v0.74.3

v0.75.0

v0.76.0

v0.76.1

v0.76.2

v0.77.0

v0.77.1

v0.78.0

v0.79.0

v0.80.0

v0.81.0

v0.82.0

v0.83.0

v0.84.0

v0.84.1

v0.84.2

v0.85.0

v0.86.0

v0.87.0

v0.87.1

v0.88.0

v0.88.1

v0.89.0

v0.89.1

v0.89.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33241.json"